b'     f\n    7"\nj\n\n                                                                                            - = -=\'\n\n\n\n\n                                                                                    U.S. OFFICE OF PERSONNEL MANAGEMENr\n                                                                                          OFFICE Or DIE INSPECTOR GENERAL\n                                                                                                           OFFICE OF AUDITS\n\n\n\n                                                                     Final Audit Report\n\n\n         Subject:\n\n                       AUDIT OF INFORMATION SYSTEMS\n                   GENERAL AND APPLICATION CONTROLS AT\n                  . . KAISER FOUNDATION HEALTH PLAN\n            NORTHERN\n            \', -.. -\'   ,- .\', AND "SOUTHERN\n                     ." , \' ,\' ,   ... \' "\', \', \'. -\n                                        \' , \', , _ ..\n                                                     CALIFORNIA\n                                                         ,\' . . . .\n                                                         .   .\' .-\n                                                                    REGION.\n                                                                     \', \'            "           \'-   "            - \'   "\n\n                               , "\', \'         ,\',, -;.. \xc2\xad\n                            -,\'\xc2\xb7-\'>r.,",\xc2\xb7:\xc2\xb7.<:-: \'\n                                             :;\n\n\n\n\n                                                                            Date:           ifune 18, -2 (t 09 \'\n\n\n\n\n                                                                                         ~ \xc2\xb7CAU TION -\n\n         This audit report has been distributed 10 Federal and Non-Federal officials who au r esponsibl e for the\n         administration of the audited contract, This au dit rep.ort may contain proprietary data wblcb is protected by\n         Fcderallaw (18 U.S.C 1905); tbererere, while this audit ..cport is available unde r the Freedom of Information\n         Act, caeu on needs to be exercised bc rc re releasi ng the report 10 tbe general pilblic.\n\x0c                              llN1TED STATES OFF ICE OF PERSONNEL MANAGEM ENT\n                                               wa shington, DC 20415\n\n  Office of ihe\nInspector General\n\n\n\n\n                                               Audit Report\n\n\n\n                       FEDERAL EMPLOYEES HEALTH BENEFITS PROGRAM\n                                    CONTRACT CS 1044\n                                KAISER FOUNDATION HEALTH PLAN\n                           NORTHERN AND SOUTHERN CALIFOUNIA IU:GJONS\n                                        PLAN CODES 59/62\n\n\n\n\n                                       Report No. 1C-59-00-09-002\n\n\n                                       Dale:         J une 18, 2 009\n\n\n\n\n\n                                                                        U L<l-\n\n                                                                        Michael R. Esser\n                                                                        Assistant Inspector Genu a)\n                                                                           for Audits\n\n                       - _. _ -- ----------~---:::::==\n        www,o pm . g o ~\n\x0c                          UNITED STATES OFFI CE OF PERSONNEL M ANAGEMENT\n                                                 Washington , DC 20415\n\n\n  Office of the\nInspector Omenl\n\n\n\n\n                                            Executive Summary\n\n\n                  FEDERAL EMPLOYEES HEALTH BENEfiTS PROGRAM\n\n                               CONTRACT CS 1044\n\n                         KAISER FOUNDATION HEALTH PLAN\n\n                    NORTHERN ANn SOUTHERN CALIFORNIA REGIONS\n\n                                 PLAN CODES 59/62\n\n\n\n\n\n                                        Report No. 1C-59-00-09\xc2\xb7002\n\n                                        Date:          June 18, 2009\n\n\n\n        This final report discusses the results of our audit of general and applicati on controls over the\n        information systems at the Northern and Southern California regions of Kaiser Foundation\n        Health Plan (Kaiser).\n\n        Our audit focused on the inform ation sys tems used to process data related to Kaiser members\n        that are part of the Federal Employees Hea lth Benefits Program (FEHBP). We documen ted\n        controls in place and opportunities for improvement in each of the areas below,\n\n        Entity-wide Sec yrity Program\n        The policies and procedures that comprise Kaiser\'s entity-wide sec urity program app ear to\n       provide an adequate foundation to protect the organization\'s information resources. However,\n       we determined that neither the No rthern nor Southern California regions of Kaiser are routinely\n       cond ucting business impact analyses and risk assessments in accordance with com pany policy.\n\x0cAccess Controls\nKaiser has implemented a variety of controls to prevent or detect unauthorized access to its\nphysical and logical resources. Such controls include: procedures for securely granting and\nremoving access to networks and applications; the use of tools to detect unauthorized network\nactivity; and controls to encrypt data at rest and data transferred via email. However, we also\nnoticed several areas where Kaiser\xe2\x80\x99s access controls could be improved, including: physical\naccess to its facilities;                                        ; security of network incident logs;\nreview of active user accounts; disabling inactive user accounts; and password controls.\n\nApplication Development and Change Control\nKaiser has adopted a traditional system development life cycle (SDLC) methodology that\nincorporates the use of formal change requests managed by a project tracking tool. Kaiser also\nuses a structured approval process for all changes to its applications.\n\nSystem Software\nKaiser has implemented a thorough system software change control methodology. This process\nutilizes a change management tool to control and track changes and involves multiple levels of\napprovals. It was also noted that Kaiser has implemented policies and procedures for conducting\nemergency changes and limiting access to system software to the appropriate individuals.\n\nBusiness Continuity\nA Disaster Recovery (DR) Organization has been designated within Kaiser with the\nresponsibility to develop, support, test, maintain, and execute disaster recovery plans. However,\nwe determined that a thorough business continuity and disaster recovery plan has not been\nimplemented for any of the six information systems reviewed during this audit.\n\nApplication Controls\nKaiser has implemented a variety of controls to ensure that electronic transactions related to\nmember service encounters are valid, authorized, and processed accurately. However, we noted\nseveral weaknesses in the manner in which Kaiser\xe2\x80\x99s systems process FEHBP data. Kaiser\xe2\x80\x99s\nsystems inappropriately processed several transactions presented by OIG auditors, including: an\nencounter with a procedure/diagnosis inconsistency; an encounter with a procedure/gender\ninconsistency; an encounter with a procedure/provider inconsistency; an encounter with non-\ncovered benefits; an encounter with emergency room to hospital transfers; and an encounter with\na procedure/age inconsistency.\n\nHealth Insurance Portability and Accountability Act (HIPAA)\nNothing came to our attention that caused us to believe that Kaiser is not in compliance with the\nHIPAA security, privacy, and national provider identifier regulations.\n\n\n\n\n                                                  ii\n\x0c                                                                Contents\n                                                                                                                                              Page\n\n\n    Executive Summary .................................................................................................................... i\nI. Introduction ................................................................................................................................ 1\n    Background ................................................................................................................................ 1\n    Objectives .................................................................................................................................. 1\n    Scope .......................................................................................................................................... 2\n    Methodology .............................................................................................................................. 3\n    Compliance with Laws and Regulations.................................................................................... 3\nII. Audit Findings and Recommendations ..................................................................................... 4\n     A. Entity-wide Security Program ............................................................................................. 4\n     B. Access Controls .................................................................................................................. 5\n     C. Application Development and Change Control ................................................................ 14\n     D. System Software ............................................................................................................... 15\n     E. Business Continuity .......................................................................................................... 15\n     F. Application Controls......................................................................................................... 17\n     G. Health Insurance Portability and Accountability Act ....................................................... 23\nIII. Major Contributors to This Report ......................................................................................... 24\n\nAppendix: Kaiser\xe2\x80\x99s March 13, 2009 response to the draft audit report, issued January 12, 2009.\n\x0c                                       I. Introduction\n\nThis final report details the findings, conclusions, and recommendations resulting from the audit\nof general and application controls over the information systems responsible for processing data\nrelated to Federal Employees Health Benefits Program (FEHBP) members at the Northern and\nSouthern California Regions of Kaiser Foundation Health Plan (referred to throughout this report\nas \xe2\x80\x98Kaiser\xe2\x80\x99).\n\nThe audit was conducted pursuant to Contract CS 1044; 5 U.S.C. Chapter 89; and 5 Code of\nFederal Regulations (CFR) Chapter 1, Part 890. The audit was performed by the U.S. Office of\nPersonnel Management\xe2\x80\x99s (OPM) Office of the Inspector General (OIG), as established by the\nInspector General Act of 1978, as amended.\n\nBackground\nThe FEHBP was established by the Federal Employees Health Benefits Act (the Act), enacted on\nSeptember 28, 1959. The FEHBP was created to provide health insurance benefits for federal\nemployees, annuitants, and qualified dependents. The provisions of the Act are implemented by\nOPM through regulations codified in Title 5, Chapter 1, Part 890 of the CFR. Health insurance\ncoverage is made available through contracts with various carriers that provide service benefits,\nindemnity benefits, or comprehensive medical services.\n\nThe           facilities supporting Kaiser\xe2\x80\x99s Northern California region are located in          and\n                          and the         facilities supporting Kaiser\xe2\x80\x99s Southern California region\nare located in                        A data center supporting the information systems listed\nabove is located in\n\nThis was the OIG\xe2\x80\x99s first audit of general and application controls at Kaiser.\n\nAll personnel that worked with the auditors were particularly helpful and open to ideas and\nsuggestions. They viewed the audit as an opportunity to examine practices and to make changes\nor improvements as necessary. Their positive attitude and helpfulness throughout the audit was\ngreatly appreciated.\n\nObjectives\nThe objectives of this audit were to evaluate controls over the confidentiality, integrity, and\navailability of FEHBP data processed and maintained in Kaiser\xe2\x80\x99s IT environment.\nThese objectives were accomplished by reviewing the following areas:\n \xe2\x80\xa2    Entity-wide security program;\n \xe2\x80\xa2    Access controls;\n \xe2\x80\xa2    Application development and change control;\n \xe2\x80\xa2    Segregation of duties;\n \xe2\x80\xa2    System software;\n \xe2\x80\xa2    Business continuity;\n\n\n                                                  1\n\x0c    \xe2\x80\xa2    Application controls specific to Kaiser\xe2\x80\x99s claims processing systems; and\n    \xe2\x80\xa2    Health Insurance Portability and Accountability Act (HIPAA) compliance.\n\nScope\nOur performance audit was conducted in accordance with generally accepted Government\nAuditing Standards issued by the Comptroller General of the United States. Accordingly, the\nOIG obtained an understanding of Kaiser\xe2\x80\x99s internal controls through interviews and\nobservations, as well as the inspection of various documents, including information technology\nand other organizational policies and procedures. This understanding of Kaiser\xe2\x80\x99s internal\ncontrols was used in planning the audit by determining the extent of compliance testing and other\nauditing procedures necessary to verify that the internal controls were properly designed, placed\nin operation, and effective.\n\nWe evaluated the confidentiality, integrity, and availability of Kaiser\xe2\x80\x99s computer-based\ninformation systems, and found that there are opportunities for improvement in the information\nsystems\xe2\x80\x99 internal controls. These areas are detailed in the \xe2\x80\x9cAudit Findings and\nRecommendations\xe2\x80\x9d section of this report. Since our audit would not necessarily disclose all\nsignificant matters in the internal control structure, we do not express an opinion on Kaiser\xe2\x80\x99s\nsystem of internal controls taken as a whole.\n\nThe scope of this audit centered on, but was not limited to, the information systems used by\nKaiser to process and store data related to its Northern and Southern California FEHBP\nmembers, including:\n\xe2\x80\xa2                       \xe2\x80\x93 used by providers and hospitals to record the services provided to Kaiser\n        members;\n\xe2\x80\xa2                    \xe2\x80\x93 Kaiser\xe2\x80\x99s membership system that stores data related to the Plan\xe2\x80\x99s enrollees;\n\xe2\x80\xa2                                     \xe2\x80\x93 a series of analytical databases that store and format data\n        critical to Kaiser\xe2\x80\x99s health plan and service delivery lines of business;\n\xe2\x80\xa2                                  (                                \xe2\x80\x93 uses data produced by the other\n        systems to develop the adjusted community pricing rates for Kaiser\xe2\x80\x99s customers (e.g.,\n        OPM/FEHBP);\n\xe2\x80\xa2                                                 \xe2\x80\x93 adjudicates claims submitted by outside (non-\n        Kaiser) providers for services rendered to Northern California Kaiser members; and\n\xe2\x80\xa2                                             \xe2\x80\x93 adjudicates claims submitted by outside (non-Kaiser)\n        providers for services rendered to Southern California Kaiser members.\n\nIn conducting our audit, we relied to varying degrees on computer-generated data provided by\nKaiser. Due to time constraints, we did not verify the reliability of the data used to complete\nsome of our audit steps, but we determined that it was adequate to achieve our audit objectives.\nHowever, when our objective was to assess computer-generated data, we completed audit steps\nnecessary to obtain evidence that the data was valid and reliable.\n\nThe fieldwork portion of this audit was performed in\n                    These on-site activities were performed in October and November 2008.\nThe OIG completed additional audit work before and after the on-site visits at OPM\xe2\x80\x99s office in\n\n\n                                                     2\n\x0cWashington, D.C. The findings, conclusions, and recommendations outlined in this report are\nbased on the status of information system general and application controls in place at Kaiser as\nof November 28, 2008.\n\nMethodology\nIn conducting this review the OIG:\n\xe2\x80\xa2   Gathered documentation and conducted interviews;\n\xe2\x80\xa2   Reviewed Kaiser\xe2\x80\x99s business structure and environment;\n\xe2\x80\xa2   Performed a risk assessment of Kaiser\xe2\x80\x99s information systems environment and applications,\n    and prepared an audit program based on the assessment and the Government Accountability\n    Office\'s (GAO) Federal Information System Controls Audit Manual; and\n\xe2\x80\xa2   Conducted various compliance tests to determine the extent to which established controls and\n    procedures are functioning as intended. As appropriate, the auditors used judgmental\n    sampling in completing their compliance testing.\n\nVarious laws, regulations, and industry standards were used as a guide to evaluating Kaiser\xe2\x80\x99s\ncontrol structure. This criteria includes, but is not limited to, the following publications:\n\xe2\x80\xa2   Office of Management and Budget (OMB) Circular A-130, Appendix III;\n\xe2\x80\xa2   Information Technology Governance Institute\xe2\x80\x99s CobiT: Control Objectives for Information\n    and Related Technology;\n\xe2\x80\xa2   GAO\'s Federal Information System Controls Audit Manual;\n\xe2\x80\xa2   National Institute of Standards and Technology\'s Special Publication (NIST SP) 800-12,\n    Introduction to Computer Security;\n\xe2\x80\xa2   NIST SP 800-14, Generally Accepted Principles and Practices for Securing Information\n    Technology Systems;\n\xe2\x80\xa2   NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\xe2\x80\xa2   NIST SP 800-41, Guidelines on Firewalls and Firewall Policy;\n\xe2\x80\xa2   NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information\n    Systems;\n\xe2\x80\xa2   NIST SP 800-61, Computer Security Incident Handling Guide;\n\xe2\x80\xa2   NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA\n    Security Rule; and\n\xe2\x80\xa2   HIPAA Act of 1996.\n\nCompliance with Laws and Regulations\nIn conducting the audit, the OIG performed tests to determine whether Kaiser\xe2\x80\x99s practices were\nconsistent with applicable standards. While generally compliant, with respect to the items tested,\nKaiser was not in complete compliance with all standards as described in the \xe2\x80\x9cAudit Findings\nand Recommendations\xe2\x80\x9d section of this report.\n\n\n\n\n                                                3\n\x0c                      II. Audit Findings and Recommendations\n\nA. Entity-wide Security Program\n   The entity-wide security component of this audit examined the policies and procedures that are\n   the foundation of Kaiser\xe2\x80\x99s overall IT security controls. The OIG evaluated Kaiser\xe2\x80\x99s ability to\n   manage risk, develop security policies, assign security-related responsibility, and monitor the\n   effectiveness of various system-related controls.\n\n   The OIG also reviewed various Kaiser human resources (HR) policies and procedures to\n   evaluate the controls in place regarding various HR functions such as hiring, terminations,\n   transfers, conflicts of interest, training, and standards of conduct.\n\n   The policies and procedures that comprise Kaiser\xe2\x80\x99s entity-wide security program appear to\n   provide an adequate foundation to protect the organization\xe2\x80\x99s information resources. However,\n   the section below details one instance where Kaiser\xe2\x80\x99s policy related to risk assessment did not\n   appear to be enforced.\n\n   1. Risk Assessment\n\n      Kaiser\xe2\x80\x99s Northern and Southern California regions have both developed a \xe2\x80\x9cSecurity Risk\n      Management and Evaluation Policy\xe2\x80\x9d that details requirements for identifying and managing\n      security incidents to reduce their harmful effects and prevent reoccurrence. The policy\n      requires both regions to identify, assess, and mitigate risks related to the security of sensitive\n      data.\n\n      In addition, according to Kaiser\xe2\x80\x99s \xe2\x80\x9cNational Kaiser Business Continuity Management\n      Policy,\xe2\x80\x9d every department within the organization is required to identify critical business\n      functions and work flow dependencies by performing a business impact analysis.\n\n      Based on interviews with Kaiser personnel and Kaiser\xe2\x80\x99s response to various documentation\n      requests, the OIG determined the requirements described above are not being adhered to by\n      either the Northern or Southern California regions of Kaiser.\n\n      HIPAA Security Rule 164.308(a)(1)(ii) requires all Plans to: \xe2\x80\x9c(A) . . . Conduct accurate and\n      thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity,\n      and availability of electronic protected health information. . . (B) . . . Implement security\n      measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate\n      level . . . .\xe2\x80\x9d\n\n      Additionally, NIST SP 800-30, Risk Management Guide for IT Systems, recommends that a\n      risk assessment contain components such as risk identification, risk evaluation (probability\n      and impact), and recommendations on how to manage and mitigate risks.\n\n\n\n\n                                                    4\n\x0c      Failure to conduct thorough risk assessments increases the likelihood that system\n      vulnerabilities may not be identified. Risk assessments and business impact analyses provide\n      a basis for establishing appropriate security controls and selecting cost-effective techniques\n      to implement these controls.\n\n      Recommendation 1\n      We recommend that Kaiser conduct periodic business impact analyses and risk assessments\n      on its information systems in accordance with corporate policy, HIPAA requirements, and\n      NIST guidelines.\n\n      Kaiser Response:\n      \xe2\x80\x9cWhile the Carrier generally agrees with this finding of the Draft Report, the Carrier\n      wishes to highlight the important programs in place to establish compliance with its\n      security risk and business continuity management policies and prevailing standards.\n      These programs have already developed significant processes that fulfill the requirements\n      of the security risk management and business continuity management policies and, to the\n      extent that gaps remain, these programs have already developed plans to address them.\n      Most of the programs began in 2008. Because the Carrier believed the scope of the audit\n      was the 2007 Contract Year, the Carrier did not provide the auditors with documents\n      related to activities that occurred after 2007.\xe2\x80\x9d\n\n      See Appendix for Kaiser\xe2\x80\x99s full response to this recommendation.\n\n      OIG Reply:\n      The OIG issued a formal pre-audit request for documentation that asked for a copy of\n      Kaiser\xe2\x80\x99s \xe2\x80\x9ccurrent risk assessments.\xe2\x80\x9d Nothing in this document indicated that the scope of the\n      request was limited to the 2007 contract year. On September 15, 2008, Kaiser issued a\n      written response to the OIG that stated that \xe2\x80\x9cthe Carrier is currently planning a new risk\n      assessment process to review all applications against updated security requirements and risk\n      criteria. Since this assessment is in the planning stage, no risk assessment information is\n      currently available.\xe2\x80\x9d\n\n      However, we do acknowledge the steps that Kaiser is taking to become fully compliant with\n      its security risk and business continuity management policies. As part of the audit resolution\n      process, we recommend that Kaiser provide OPM\xe2\x80\x99s Center for Retirement and Insurance\n      Services (CRIS) with appropriate supporting documentation of the actions it takes to address\n      this audit recommendation.\n\nB. Access Controls\n   Access controls are the policies, procedures, and techniques an organization has put in place to\n   prevent or detect unauthorized physical or logical access to sensitive resources.\n\n\n\n\n                                                   5\n\x0cThe OIG examined the logical controls protecting Kaiser\xe2\x80\x99s network environment and the\napplications used to process or store data related to Kaiser\xe2\x80\x99s FEHBP members. During this\nreview, the following controls were documented:\n\xe2\x80\xa2   Procedures for approving and securely granting access to networks and applications;\n\xe2\x80\xa2   Procedures for removing network and application access from individuals that no longer\n    require access;\n\xe2\x80\xa2   The use of a variety of tools to detect and prevent unauthorized system access and intrusion\n    attempts; and\n\xe2\x80\xa2   The use of tools to encrypt data at rest as well as data transferred via email.\n\nThe OIG also examined the physical controls of Kaiser\xe2\x80\x99s facilities in\n\n\nThe following sections detail the opportunities for improvement that were noted for logical and\nphysical access controls.\n\n1. Physical Access Controls\n\n    Kaiser has implemented very strong interior and exterior physical access controls at its data\n    center in                      However, the physical access controls could be improved at\n    two office buildings visited by the OIG.\n\n    OIG auditors visited three Kaiser office facilities and reviewed controls in place related to\n    access to the facility, access to sensitive resources within the facility, and visitor access. The\n    sections below detail the auditors\xe2\x80\x99 observations related to physical access controls at these\n    locations.\n\n\n       A Kaiser facility in                       contains office space for several companies in\n       addition to Kaiser. All Kaiser employees in this building are provided with electronic\n       access cards. An electronic access card reader located in the elevator will only allow\n       employees to access floors owned by their respective company. Visitors are not provided\n       with an access card and must be escorted by a Kaiser employee. The OIG did not detect\n       any weaknesses of the physical access controls at this facility.\n\n\n       One of the           facilities used by Kaiser\xe2\x80\x99s Northern California region is located in\n                               Access to the public areas of this building (hallways, lobbies,\n       stairwells, elevators) is not restricted. Access to the office suites occupied by Kaiser is\n       controlled by an electronic access card system; users must swipe an access card against\n       an electronic reader to unlock the door.\n\n\n\n\n                                                  6\n\x0c   Visitor Access\n   Although the access card system limits physical access to Kaiser\xe2\x80\x99s office space, a\n   weakness exists in Kaiser\xe2\x80\x99s procedures for distributing                        cards. When\n   a visitor requires access to Kaiser suites, they must check in at Kaiser\xe2\x80\x99s reception/security\n   desk. After signing a visitor log, the visitor will be provided a                  card that\n   is valid for the remainder of that business day. Visitors to this building do not require an\n   escort and are not required to show a photo ID before being provided with a temporary\n   access card.\n\n   Unlocked Conference Room\n   The OIG observed that an access card reader was disabled on the door to a Kaiser\n   conference room. Although a second (active) card reader prevented unauthorized access\n   to the office space beyond the conference room, the room did contain an active network\n   and telephone port.\n\n\n\n\n                This building is occupied entirely by Kaiser, and only Kaiser employees and\n   visitors are allowed access. A security guard is stationed in the main lobby of this\n   building to verify that individuals entering the building have a valid Kaiser employee\n   identification badge. Individuals without an ID badge are directed to a security desk\n   located on the side of the lobby. At the security desk, visitors are required to sign in and\n   indicate which room they will be visiting. However, after signing in, visitors are allowed\n   unescorted access to the building, and no procedures exist to verify that a Kaiser\n   employee is expecting a visitor. Furthermore, this building does not contain any internal\n   access card readers or other mechanisms to prevent unauthorized access to various work\n   spaces.\n\nNIST SP 800-12, An Introduction to Computer Security, outlines the benefits of\nimplementing strong physical security controls. Specifically, it describes how physical\naccess controls can reduce the risk of interruptions to computer services, physical damage,\nunauthorized disclosure of information, loss of control over system integrity, and physical\ntheft.\n\nThe                       controls described above increase the risk\n\n                     his risk is further increased by\n\n\n\n\nRecommendation 2\nWe recommend that Kaiser improve the physical access controls at its\n                  facilities.\n\n\n\n                                             7\n\x0cKaiser Response:\n\xe2\x80\x9cWhile the Carrier generally agrees with the Draft Report, it notes that significant positive\nsecurity practices are already in place in these facilities in                          These\npractices, and the plans to improve them, are described more fully below. In addition, the\n           facility contains internal access card readers that protect critical areas, and, with\nregard to the card reader on the conference room in              the Carrier confirmed with\nbuilding security that this reader had been intentionally deactivated. . . .\n\n\xe2\x80\x9cLike the majority of office buildings nation-wide, the physical security program for the\nbuildings in                          is intended to provide ready access to spaces within\nthe building by authorized personnel and visitors. Positive surveillance practices are\nemployed to screen and filter criminal opportunists. Employees are directed to\nimmediately report suspicious activities to security. The program is also integrated with,\nand reliant upon, other security measures to manage the overall risks presented to the\nCarrier by access of unauthorized persons (e.g. mechanical locks, card key secured access,\nstaffed reception areas, physical device security measures, network security protocols, etc.).\nIn some instances, such as the             building, facilities are leased and operated by\nvarious landlords and/or property management firms. For these facilities, the owner\nand/or their representatives have implemented what they believe to be appropriate and\nreasonable office building protective requirements for their premises.\n\n\xe2\x80\x9cAt the time of the finding, the conference room utilized by the auditors was open for\ngeneral use; the card reader\xe2\x80\x99s operation was intentionally suspended. The card reader is\nactivated whenever limited access is requested by the tenant.\n\n\xe2\x80\x9cConsidering the above, the Carrier does not believe significant physical modifications to\nthese facilities and/or major deployment of additional security technologies are warranted\nat this time. However, the findings do recognize opportunities to reinforce current\nphysical security protocols. Accordingly, subject to budgetary constraints, the Carrier\nplans to take the following actions . . . .\xe2\x80\x9d\n\nSee Appendix for Kaiser\xe2\x80\x99s full response to this recommendation.\n\nOIG Reply:\nThe response to the draft audit report indicates that Kaiser considers its physical security\nprogram comparable to that of the majority of office buildings nation-wide. However, we\ncontinue to believe that Kaiser\xe2\x80\x99s physical access controls are substantially weaker than those\nimplemented by the majority of health insurance carriers throughout the country that the OIG\naudit staff visits on a regular basis. For example, other carriers generally have controls in\nplace that prevent unauthorized individuals from physically accessing an active network port\n(such as the one available in the unlocked conference room in\n\nHowever, we acknowledge the steps that Kaiser is taking or plans to take to improve its\nphysical security program. As part of the audit resolution process, we recommend that\nKaiser provide OPM\xe2\x80\x99s CRIS with appropriate supporting documentation of the actions it\ntakes to enhance physical access controls to its facilities.\n\n\n                                             8\n\x0c\x0c3. Security of Network Incident Logs\n\n   Kaiser has implemented a                                                              where\n   individuals continuously monitor the performance of the various operating platforms and\n   network environments that house the applications critical to Kaiser\xe2\x80\x99s business. The\n                    operation facilitates many controls related to IT security monitoring and\n   incident response. However, details of security incidents monitored by the\n   are published on a                                                         that is accessible by\n   anyone with access to                           .\n\n   NIST SP 800-61, Computer Security Incident Handling Guide, provides guidelines for\n   securely documenting data related to security incidents. Specifically, it states that an\n   \xe2\x80\x9cincident response team should take care to safeguard data related to incidents because it\n   often contains sensitive information - for example, data on exploited vulnerabilities, recent\n   security breaches, and users that may have performed inappropriate actions. To reduce the\n   risk of sensitive information being released inappropriately, the team should ensure that\n   access to incident data is restricted properly.\xe2\x80\x9d\n\n   The                     contains a significant volume of sensitive data such as server names\n   and IP addresses. Access to this information increases the risk that an attacker could\n   successfully gain unauthorized access to sensitive information or disrupt Kaiser\xe2\x80\x99s network\n   environment and therefore its business processes.\n\n\n\n   Recommendation 4\n   We recommend that Kaiser limit access to the                         to employees whose job\n   function requires access.\n\n   Kaiser Response:\n   \xe2\x80\x9cThis recommendation does not take into account that the                  was specifically put\n   in place to provide client transparency to real time incidents in progress, and for the\n   Carrier\xe2\x80\x99s service desk to see a consolidated view of only high and critical incidents to\n   provide quick real time status and service direction. The               currently averages\n   close to          to the site Monday to Friday, and is used widely by clients and IT staff for\n   information on High and Critical Incidents in progress. Because the Draft Report did not\n   note this important function of the                its recommendation in this regard would\n   significantly limit the utility and purpose of the\n\n   \xe2\x80\x9cThe Carrier intends to adjust its              to address these concerns. Within thirty (30)\n   days of the Final Report, the Carrier will initiate the process to remove certain links from\n   the               This will eliminate wide access to potentially sensitive infrastructure data\n   and eliminate access to impact data and bridge call status.\n\n\n\n\n                                                10\n\x0c   \xe2\x80\x9cThe Carrier believes this adjustment will generate additional status calls to the Help\n   Desk. It will test to ensure the effectiveness of the adjustment. This process is expected to\n   take at least thirty (30) days to implement.\xe2\x80\x9d\n\n   OIG Reply:\n   We acknowledge the steps that Kaiser is taking to limit access to the             to\n   individuals whose job function requires access. We continue to assert that there are\n   significant IT security risks inherent with the practice of allowing           access to any\n   individual that can physically access one of Kaiser\xe2\x80\x99s                    . As discussed in\n   section B.1, above, we noted several instances where                       were not\n   adequately protected.\n\n   We understand the important functionality of the                as well as the need for IT\n   clients and staff to have access to it. The audit recommendation does not suggest that Kaiser\n   revoke                access to these individuals. Rather, we continue to recommend that\n   Kaiser develop a methodology that allows appropriate access to the                 while\n   preventing unauthorized individuals from accessing this sensitive information.\n\n   As part of the audit resolution process, we recommend that Kaiser provide OPM\xe2\x80\x99s CRIS with\n   appropriate supporting documentation of the actions it takes to address this audit\n   recommendation.\n\n4. Periodic Management Review of Active User Accounts\n\n   As mentioned in the scope section of this report, OIG auditors reviewed the system access\n   controls of six Kaiser applications that are used to process data relevant to Kaiser\xe2\x80\x99s FEHBP\n   line of business. Although Kaiser has implemented a variety of controls to ensure that active\n   user accounts on its applications are reviewed for appropriateness,\n\n\n   NIST SP 800-66 Revision 1, An Introductory Resource Guide for Implementing the HIPAA\n   Security Rule, states that organizations should develop \xe2\x80\x9cprocedures for reviewing and, if\n   appropriate, modifying access authorizations for existing users.\xe2\x80\x9d Furthermore, NIST SP 800-\n   12, An Introduction to Computer Security, states that access reviews should \xe2\x80\x9cexamine the\n   levels of access each individual has, conformity with the concept of least privilege, whether\n   all accounts are still active, whether management authorizations are up-to-date, whether\n   required training has been completed, and so forth.\xe2\x80\x9d\n\n   The procedures for reviewing user access were similar for the\n                   . For several systems, Kaiser\'s                    administrators assist in the\n   process by providing the business unit that owns the application with a list of active users.\n   However, in each case, it was the responsibility of the business unit to review active user\n   accounts for appropriateness.\n\n\n\n\n                                               11\n\x0c   This issue is further complicated by the fact that the business unit managers that approve\n   access to this particular application are not involved in the process of removing user\n   accounts. This creates a scenario where the approver only has a one-way view of accounts,\n   and does not know which (or how many) of the accounts that they approved remain active,\n   increasing the risk that user accounts exist for individuals that no longer require access to this\n   application.\n\n   Recommendation 5\n   We recommend that Kaiser periodically review the active user accounts for all of its critical\n   applications to verify that accounts exist only for active employees whose job function\n   requires access to that application.\n\n   Kaiser Response:\n   \xe2\x80\x9cIn response to this concern, by the end of the Second Quarter of 2009, the designated\n   business contact will work with the             administrators to develop an access review\n   process, which will include a quarterly review of staffing changes.\xe2\x80\x9d\n\n   OIG Reply:\n   We acknowledge the steps that Kaiser is taking to address this recommendation. As part of\n   the audit resolution process, we recommend that Kaiser provide OPM\xe2\x80\x99s CRIS with\n   appropriate supporting documentation of the actions it takes to improve controls related to\n   the periodic review of active user accounts.\n\n5. Disabling Inactive User Accounts\n\n   OIG auditors reviewed the user access controls of six Kaiser applications that are used to\n   process data relevant to Kaiser\'s FEHBP line of business. Although Kaiser has\n   implemented a variety of controls to ensure that user accounts are automatically disabled\n   after a period of inactivity, there were no controls in place to automatically disable\n   inactive accounts for one of the six systems reviewed.\n\n   NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information\n   Systems, suggests that an information system automatically disable inactive user accounts\n   after a predetermined period of inactivity.\n\n   The five systems that do have controls for automatically disabling inactive user accounts are\n   housed in Kaiser\'s              environment. The one system that does not have similar\n   controls is housed in an                                          environment. As mentioned\n   in section B.4, Kaiser has implemented a process to manually review user accounts for\n   appropriateness. However, implementing technical controls to automatically disable\n   inactive user accounts for all systems further decreases the risk that user accounts exist for\n   individuals that no longer require access to this application.\n\n\n\n\n                                                12\n\x0c   Recommendation 6\n   We recommend that Kaiser implement technical controls on all of its critical applications to\n   automatically disable inactive user accounts after a predetermined period of inactivity.\n\n   Kaiser Response:\n   \xe2\x80\x9cThe design of the application noted in Recommendation 6 is based on multiple\n   \xe2\x80\x98instances\xe2\x80\x99 which make truly automated disabling of access substantially more complex\n   than the five            applications which did not contain exceptions.\n\n   \xe2\x80\x9cBecause of these limitations on the automatic setting, the user security and processing\n   team manually processes deactivation for non-use by extracting last login dates for all\n   instances and specifically setting the account status to inactive on all instances, which\n   fully deactivates the account, per the regional access termination documentation provided\n   during the audit.\xe2\x80\x9d\n\n   OIG Reply:\n   If Kaiser determines that it is not cost or resource efficient to implement the audit\n   recommendation, we recommend that it formally document its understanding and acceptance\n   of the risks inherent with this decision. This documentation should be provided to OPM\xe2\x80\x99s\n   CRIS in order to close the audit recommendation.\n\n6. Password Controls\n\n   OIG auditors reviewed the authentication controls of six Kaiser applications that are used to\n   process data relevant to Kaiser\'s FEHBP line of business. Although Kaiser has\n   implemented a corporate password policy, as well as a variety of technical controls to\n   enforce this policy, Kaiser has not implemented adequate password controls for one of the\n   six systems reviewed.\n\n   The OIG identified three separate password settings that could be improved for this system.\n   The specific settings were provided to Kaiser personnel during the fieldwork phase of the\n   audit and will not be included in this report. One of the settings was in violation of Kaiser\'s\n   corporate password policy. The other two settings, while compliant with Kaiser\'s policy, do\n   not meet industry best-practice standards or the password attributes suggested in NIST SP\n   800-12, An Introduction to Computer Security.\n\n   Weak password requirements increase the risk that an unauthorized individual can gain\n   access to Kaiser\'s sensitive IT resources and data.\n\n   Recommendation 7\n   We recommend that Kaiser update its corporate password policy and implement technical\n   controls to enforce the policy on all of its critical applications.\n\n\n\n\n                                                13\n\x0c       Kaiser Response:\n       \xe2\x80\x9cIn 2008, the Carrier implemented a new enterprise password policy based on balancing\n       existing policies, current industry best-practices, and the various risks and needs of its\n       associates, which include care delivery personnel. The required password length was\n       increased, and passwords were also forced to be made more complex.\n\n       \xe2\x80\x9cWith these more stringent standards in place, the Carrier\xe2\x80\x99s decision to remove this\n       control was made following a comprehensive analysis of the value of that control versus\n       operational needs, particularly the needs of its care delivery personnel. It was determined\n       that, given stronger rules for password complexity, the net effect would be equal security\n       with less impact for the users.\n\n       \xe2\x80\x9cIn light of these considerations, and the stringent controls already in place, the Carrier\n       believes sufficient password controls are in place.\xe2\x80\x9d\n\n       OIG Reply:\n       If Kaiser determines that its current password policy is adequate, we recommend that it\n       formally document its acceptance of the inherent risks associated with deviating from widely\n       accepted password standards such as those outlined in NIST SP 800-12, An Introduction to\n       Computer Security.\n\n       In addition, Kaiser\xe2\x80\x99s response did not address the password setting that was not compliant\n       with the company\xe2\x80\x99s password policy. We continue to recommend that Kaiser configure its\n       password settings in a manner that is compliant with its own corporate password policy.\n\nC. Application Development and Change Control\n   The OIG evaluated the policies and procedures governing software development and change\n   control over Kaiser\xe2\x80\x99s                                 as well as its\n\n\n   Kaiser has adopted a traditional system development life cycle (SDLC) methodology that\n   incorporates the use of formal change requests managed by a project tracking tool. Kaiser also\n   uses a structured approval process for change requests. The following controls related to testing\n   and approvals of software modifications were observed:\n   \xe2\x80\xa2   Testing activities are conducted at various stages of the SDLC;\n   \xe2\x80\xa2   Appropriate levels of approval must be completed before the change is migrated into the\n       production environment; and\n   \xe2\x80\xa2   Procedures and controls are in place for emergency changes.\n\n   The OIG also observed the following controls related to software libraries:\n   \xe2\x80\xa2   Kaiser has a software library management tool that provides sufficient control of application\n       software;\n   \xe2\x80\xa2   Application software is segregated among development, testing, and production regions; and\n\n\n\n                                                  14\n\x0c   \xe2\x80\xa2   There is a clear segregation of duties along organizational lines for all application software\n       modifications.\n\nD. System Software\n   The system software that houses the production applications within the scope of this audit reside\n   at Kaiser\xe2\x80\x99s data center in                   Five of these applications are run on\n\n\n\n   Kaiser has implemented a thorough system software change control methodology. This process\n   utilizes a change management tool to control and track changes, and involves multiple levels of\n   approvals.\n\n   It was also noted that Kaiser has implemented policies and procedures for conducting emergency\n   changes and limiting access to system software to the appropriate individuals. The OIG\n   reviewed several high level security settings of Kaiser\xe2\x80\x99s               , and did not identify any\n   weaknesses.\n\nE. Business Continuity\n   We reviewed Kaiser\xe2\x80\x99s service continuity program to determine if (1) procedures are in place to\n   protect information resources and minimize the risk of unplanned interruptions and (2) a plan\n   exists to recover critical operations should interruptions occur. The following section documents\n   the results of the service continuity review and provides recommendations for improving\n   Kaiser\xe2\x80\x99s service continuity program.\n\n   1. Disaster Recovery Plan\n       Based on interviews with Kaiser personnel and Kaiser\xe2\x80\x99s response to various documentation\n       requests, the OIG determined that a thorough business continuity and disaster recovery plan\n       has not been implemented for any of the six applications reviewed during this audit.\n\n       A Disaster Recovery (DR) Organization has been designated within Kaiser with the\n       responsibility to develop, support, test, maintain and execute disaster recovery plans. The\n       DR Organization has prepared a time line to establish a reasonable deadline for completing\n       disaster recovery plans for its critical applications. However, as of November 2008, the\n       disaster recovery plans are incomplete and Kaiser is still in the planning phase of its disaster\n       recovery capability overhaul.\n\n       Furthermore, although Kaiser has implemented procedures for periodic testing of disaster\n       recovery plans, a full scope disaster recovery test has yet to be conducted for Kaiser\xe2\x80\x99s critical\n       applications.\n\n       A variety of criteria exists to emphasize the need for Kaiser to develop a thorough business\n       continuity and disaster recovery capability, including:\n\n\n\n\n                                                    15\n\x0c\xe2\x80\xa2   Kaiser\xe2\x80\x99s business continuity policy states that Kaiser will \xe2\x80\x9cdevelop and maintain business\n    continuity plans to address the actions necessary to protect the security of its electronic\n    information in the event of an emergency or disaster.\xe2\x80\x9d Also, Kaiser will periodically test\n    and update business continuity plans.\n\xe2\x80\xa2   Kaiser\xe2\x80\x99s corporate disaster recovery policy states that Kaiser will \xe2\x80\x9cdevelop and maintain\n    a disaster recovery plan to address the actions to be taken to recover, as necessary,\n    damage to computing or biomedical systems/devices containing its electronic information\n    and/or lost KP electronic information in an emergency or disaster.\xe2\x80\x9d In addition, the\n    policy states Kaiser will periodically test and update disaster recovery plans.\n\xe2\x80\xa2   HIPAA Security Rule 164.308 (a)(7)(i) states that \xe2\x80\x9ca contingency plan must be in effect\n    for responding to system emergencies. The plan would include an applications and data\n    criticality analysis, a data backup plan, a disaster recovery plan, an emergency mode\n    operation plan, and testing and revision procedures. . . . Without contingency planning, a\n    covered entity has no assurance that its critical data could survive an emergency\n    situation.\xe2\x80\x9d\n\xe2\x80\xa2   NIST SP 800-34, Contingency Planning Guide for IT Systems, states that \xe2\x80\x9cPlan testing is\n    a critical element of a viable contingency capability. Testing enables plan deficiencies to\n    be identified and addressed. Testing also helps evaluate the ability of the recovery staff\n    to implement the plan quickly and effectively. Each IT contingency plan element should\n    be tested to confirm the accuracy of individual recovery procedures and the overall\n    effectiveness of the plan.\xe2\x80\x9d\n\nFailure to adequately develop, maintain, and test business continuity and disaster recovery\nplans increases the risk that Kaiser will be unable to maintain critical business operations\nwhen unexpected events occur.\n\nRecommendation 8\nWe recommend that Kaiser develop and implement business continuity and disaster recovery\nplans for all of its critical applications in accordance with company policy and other relevant\ncriteria.\n\nKaiser Response:\n\xe2\x80\x9cThe Carrier has made considerable investments in disaster recovery and business\ncontinuity, and has made significant strides in advancing its implementation and testing\ncapability. For instance, the recent acquisition and integration of the new data center\n(NDC) required an enormous commitment of resources, represented great progress in the\nCarrier\xe2\x80\x99s disaster recovery and business continuity implementation efforts, and went a\nlong way to ensuring the viability of critical systems in the event of a disaster.\n\nAs these and other efforts reflect, the Carrier understands the importance of disaster\nrecovery and business continuity management, and is committed to completing the\nimplementation of its programs within the timelines it has set for itself.\xe2\x80\x9d\n\nSee Appendix for Kaiser\xe2\x80\x99s full response to this recommendation.\n\n\n                                            16\n\x0c       OIG Reply:\n       We acknowledge the steps that Kaiser is taking to improve its disaster recovery and business\n       continuity programs in a timely manner. As part of the audit resolution process, we\n       recommend that Kaiser provide OPM\xe2\x80\x99s CRIS with appropriate supporting documentation of\n       the actions it takes to address this audit recommendation.\n\n       Recommendation 9\n       We recommend that Kaiser test its disaster recovery plans at least annually.\n\n       Kaiser Response:\n       See Kaiser Response to Recommendation 8\n\n       OIG Reply:\n       See OIG Reply to Recommendation 8\n\nF. Application Controls\n   The OIG evaluated the application controls of the information systems that Kaiser uses to\n   adjudicate the data associated with an FEHBP member receiving services from a Kaiser\n   professional provider or hospital (\xe2\x80\x9cencounters\xe2\x80\x9d). The systems included in the scope of this\n   review include:\n   \xe2\x80\xa2                   \xe2\x80\x93 used by providers and hospitals to record the services provided to Kaiser\n       members;\n   \xe2\x80\xa2                \xe2\x80\x93 Kaiser\xe2\x80\x99s membership system that stores data related to the Plan\xe2\x80\x99s enrollees;\n   \xe2\x80\xa2                                           \xe2\x80\x93 a series of analytical databases that store and format\n       data critical to Kaiser\xe2\x80\x99s health plan and service delivery lines of business; and\n   \xe2\x80\xa2                                   (      \xe2\x80\x93 uses data produced by the other systems to develop the\n       adjusted community pricing rates for Kaiser\xe2\x80\x99s customers (e.g., OPM/FEHBP).\n\n   The OIG tested the controls of these systems by submitting a series of test encounters of FEHBP\n   members into the systems\xe2\x80\x99 test environments. The test encounters were created with inherent\n   flaws designed to evaluate the systems\xe2\x80\x99 ability to either correct the errors or prevent the\n   erroneous data from being included in the calculation of the FEHBP\xe2\x80\x99s adjusted community rating\n   (rating). OIG auditors worked with Kaiser employees (\xe2\x80\x9ctesters\xe2\x80\x9d) to enter the test encounters,\n   consisting of both professional provider and hospital services, into the                  system.\n   The encounters were then processed through the                                              . A\n   report was produced by       that detailed the final prices assigned to test encounters as it would\n   be used in calculating the FEHBP\xe2\x80\x99s rating. The testers used the same system interfaces and had\n   the same privileges that would be available in the system\xe2\x80\x99s production environment.\n\n   The testing exercise revealed that Kaiser\xe2\x80\x99s systems do have many controls in place including, but\n   not limited to, the ability to:\n\n\n\n\n                                                   17\n\x0c\xe2\x80\xa2   Detect duplicate encounters and prevent them from being submitted into the\n            (both hospital and professional encounters);\n\xe2\x80\xa2   Detect encounters for ineligible members and prevent them from being included in the rating\n    calculation;\n\xe2\x80\xa2   Detect encounters with medical inconsistencies and prevent them from being included in the\n    rating calculation (hospital encounters only); and\n\xe2\x80\xa2   Assign the appropriate price to various encounters based on the member\xe2\x80\x99s benefit level\n    (standard or high).\n\nHowever, the OIG identified several areas where Kaiser\xe2\x80\x99s system controls could be improved, as\ndetailed in the sections below.\n\n1. Medical Edits for Professional Encounters\n\n    Several professional encounters with medical inconsistencies were processed, priced, and\n    inappropriately included in the FEHBP\xe2\x80\x99s rating.\n\n    a) Procedure invalid for diagnosis.\n\n       An encounter was processed for a member that received an                            for\n       a diagnosis of a           . The system did not produce any warning messages indicating\n       that an inconsistency/conflict existed between the diagnosis and procedure, and the\n       encounter was assigned a price and passed to the FEHBP\xe2\x80\x99s rating.\n\n       A second test encounter with a diagnosis/procedure inconsistency further verifies this\n       system weakness. In the second case, a                         was ordered for a\n       diagnosis of a                , and the encounter was assigned a price and passed to the\n       FEHBP\xe2\x80\x99s rating.\n\n       After the testers entered the original diagnoses, the system did suggest a series of\n       procedures related to that diagnosis. However, the OIG does not consider this to be an\n       adequate compensating control, as the tester was able to manually search for and order an\n       alternate procedure without significant additional effort.\n\n    b) Procedure invalid for member\xe2\x80\x99s gender.\n\n       An encounter for a                             was processed for a               .\n       Although this procedure is inconsistent with         anatomy, the encounter was assigned\n       a price and passed to the FEHBP\xe2\x80\x99s rating. The system did not produce any warning\n       messages indicating that there was a conflict between the member\xe2\x80\x99s gender and the\n       ordered procedure.\n\n    c) Procedure invalid for provider specialty.\n\n       An encounter was processed for a                          performed by an\n                   is typically performed by an                  , and is outside of an\n\n\n                                               18\n\x0c                      specialty. The system did not produce any warning messages related to this\n     inconsistency, and the encounter was assigned a price and passed to the FEHBP\xe2\x80\x99s rating.\n     After the testers entered the provider\xe2\x80\x99s information, the system did display a series of\n     procedures that would typically be performed by an               . However, the OIG does\n     not consider this to be an adequate compensating control, as the tester was able to search\n     a full list of procedure codes and select the                        without significant\n     additional effort.\n\nKaiser utilizes a third party software package that performs medical edits of hospital\nencounters. However, the results of the system testing indicate that similar controls are not\nin place for professional encounters. The lack of adequate medical edits in Kaiser\xe2\x80\x99s systems\nto identify anomalies like those listed above increases the risk that invalid professional\nencounters could be inadvertently or fraudulently processed and improperly included in the\nFEHBP rating calculation.\n\nRecommendation 10\nWe recommend that Kaiser implement medical edits in its systems to evaluate the medical\nappropriateness of all encounters that will be included in the FEHBP rating calculation.\n\nKaiser Response:\n\xe2\x80\x9cThe Carrier\xe2\x80\x99s internal delivery operations and its system are already designed to minimize\nrisk and have established controls over how professional encounters are documented and\ncaptured. The nature of the Carrier\xe2\x80\x99s physician workflow and system functionality\nminimizes the risk of erroneous coding existing in the rating system data. As described\nduring the onsite testing, because of the Carrier\xe2\x80\x99s unique arrangement with its contracted\nmedical groups, individual physicians derive no direct financial benefit from the way a\nparticular encounter is coded. In addition, three tools are built into the Carrier\xe2\x80\x99s clinical\ndelivery application to drive a high level of consistency and accuracy:\n\n1)                   that suggest to the provider appropriate diagnoses and procedures for\n   their specialty;\n2) A decision tree based tool                that presents appropriate procedures based\n   on the chief complaint from the patient; and\n3) Best practice help guides or         for ordering appropriate procedures based on the\n   patient\'s condition.\n\n\xe2\x80\x9cAs with covered procedures, individual physicians have no direct financial incentive to\ninappropriately code services they provide. Although the existing rating data does not\ncheck benefit eligibility at a fine level of detail, benefit classes such as infertility treatments\nor cosmetic services are excluded in the rating data through benefit verification and\nexclusion logic in the rating data preparation and load process.\n\n\n\n\n                                              19\n\x0c\xe2\x80\x9cTo test the extent to which erroneous coding and non-covered services exist in the\nCarrier\xe2\x80\x99s rating data, it reviewed claims data for the existence of those conditions tested\nduring the auditors\xe2\x80\x99 on-site visit. The Carrier tested twelve (12) months of data (10/2007 -\n9/2008) for a representative sample of our largest commercial customers, representing\n14,450,107 member months. These tests revealed no (0) cases of a\nperformed on             ; no (0) cases of               and                             in the\nsame encounter; only three (3) cases of                 during a                 ; and no (0)\ncases of                in the                        . In addition, it tested twelve (12)\nmonths of paid claims data (10/2007 - 9/2008) for all members of the FEHBP,\nrepresenting 2,147,696 member months, and found only 26 incidences of non-covered\n                      .\n\n\xe2\x80\x9cThis review of actual data indicates that the prevalence of these situations and the\nassociated costs are negligible. The few erroneous codes that appear in the data are\nstatistically insignificant and do not affect a group\xe2\x80\x99s premium rate outcome. As part of its\nregular data validation process, the Carrier will monitor the data for these specific\nirregularities and if the results should change, it will determine if adjustments are\nnecessary.\n                              .\n\n\xe2\x80\x9cGiven the extremely low prevalence of these particular conditions in the existing data, the\nCarrier has determined that it is cost prohibitive to invest capital on any other interim\nsolutions prior to    . Based on economic conditions, these plans may be subject to\nchange.\xe2\x80\x9d\n\nOIG Reply:\nDuring the fieldwork phase of the audit, Kaiser personnel thoroughly described to OIG\nauditors the three tools                                    that are used to discourage\nerroneous coding for professional encounters. After receiving a demonstration of the\ncapability of these controls, we concluded that they are not sufficient to prevent or detect\nfraudulent or accidental coding inconsistencies or the inclusion of non-covered benefits into\nthe FEHBP rating. These tools simply act as guides for the coding process, and in no way\nprohibit erroneous activity.\n\nAlthough similar tools exist for the processing of hospital encounters, Kaiser has determined\nthat it is necessary to utilize a third party software package to perform medical edits of\nhospital encounters. Kaiser\xe2\x80\x99s response did not address this inconsistency, and we continue to\nrecommend that Kaiser\xe2\x80\x99s professional encounters be processed through the same degree of\n\n\n\n                                            20\n\x0c   medical edits that its hospital encounters are subject to, and that it make system\n   modifications to ensure that non-covered benefits are detected.\n\n   Kaiser\xe2\x80\x99s response to the draft report also summarized the results of its testing of 12 months of\n   encounter data related to the specific anomalies identified during the OIG testing exercise.\n   This test revealed that very few instances of these medical inconsistencies have been\n   processed through Kaiser\xe2\x80\x99s production environment for FEHBP members. While we\n   appreciate the efforts taken to produce this data, we believe that Kaiser\xe2\x80\x99s response did not\n   address the intent of the audit recommendation. The OIG deliberately made the test cases\n   obscure and improbable in an effort to emphasize the extent of the system weakness.\n   Although there were only 3 incidents of a                 during a                 and 26\n   incidents of a                           , Kaiser\xe2\x80\x99s analysis did not consider the thousands of\n   additional medical inconsistencies or non-covered services that could be affected by the\n   system flaws identified during this audit.\n\n2. Non-covered benefit\n\n   An encounter was processed for a non-covered                   procedure. Kaiser\xe2\x80\x99s systems\n   did not detect that this procedure is not covered by Kaiser\xe2\x80\x99s FEHBP benefit structure, and the\n   encounter was assigned a price and passed to the FEHBP\xe2\x80\x99s rating.\n\n   A second test encounter with a non-covered benefit further verifies this system weakness. In\n   the second case, a                      was ordered, and the encounter was assigned a\n   price and passed to the FEHBP\xe2\x80\x99s rating.\n\n   Kaiser professionals and hospitals could inadvertently or fraudulently order procedures that\n   are not covered by the FEHBP benefit structure. The lack of system controls to detect such\n   encounters increases the risk that they are being improperly included in the FEHBP ratings\n   calculation.\n\n   Recommendation 11\n   We recommend that Kaiser implement the appropriate system modifications to ensure that\n   non-covered benefits are not included in the FEHBP rating calculation.\n\n   Kaiser Response:\n   See Kaiser Response to Recommendation 10\n\n   OIG Reply:\n   See OIG Reply to Recommendation 10\n\n3. Emergency Room to Hospital Transfers\n\n   An encounter was processed for a member who was transferred from an emergency room\n   (ER) to a hospital. Kaiser\xe2\x80\x99s systems did not correctly apply the FEHBP benefit structure to\n   this encounter, and the services were inaccurately priced and passed to the FEHBP rating.\n\n\n                                                21\n\x0c   According to Kaiser\xe2\x80\x99s FEHBP benefit structure, members must pay a $50 copay for ER\n   visits, and a $250 copay for hospital visits. However, when an individual is transferred from\n   the ER to a hospital, the $50 ER copay is waived, and the member is only responsible for the\n   $250 hospital copay.\n\n   In the test encounter, the                         appropriately generated a $250 bill for the\n   member, but the         system indicated that the member was liable for $300. The\n   overvaluation of member liability resulted in the price assigned to the services and passed to\n   the rating to be undervalued by $50.\n\n   Recommendation 12\n   We recommend that Kaiser implement the appropriate system modifications to ensure that\n   the FEHBP benefit structure (specifically, member copays) are appropriately factored into\n   the pricing of encounters that are included in the FEHBP rating.\n\n   Kaiser Response:\n   \xe2\x80\x9cThe Carrier understands that this situation may have resulted in a negligible\n   undercharge to the FEHBP, and appreciates the opportunity to adjust its systems.\n   Development of the detailed requirements is currently in process. System modifications\n   are targeted to be developed, tested and in production by December 31, 2009.\xe2\x80\x9d\n\n   OIG Reply:\n   We acknowledge the steps that Kaiser is taking address this recommendation. As part of the\n   audit resolution process, we recommend that Kaiser provide OPM\xe2\x80\x99s CRIS with appropriate\n   supporting documentation of the actions it takes to ensure its systems appropriately factor the\n   FEHBP benefit structure into the pricing of FEHBP encounters.\n\n4. Pricing of Hospital Professional Services and Room and Board\n\n   The OIG processed an encounter for a\n                , and expected the system to pend this encounter due to an\n   inconsistency.\n\n   Kaiser\xe2\x80\x99s systems appropriately split the hospital room/board and professional services into\n   two line items to be evaluated for pricing. However, the systems automatically re-classified\n   the                          as             (a non-covered procedure). Furthermore, the\n   system inaccurately indicated that the member was 100% liable for the room and board\n   charges, and inaccurately priced the                       procedure and passed it to the\n   FEHBP rating.\n\n   Kaiser representatives and system testers acknowledged that a \xe2\x80\x9cbug\xe2\x80\x9d in the system caused the\n   erroneous results observed during the processing of this test encounter. Due to the scope and\n   timeline limitations associated with the testing exercise, the OIG is unable to determine the\n   full extent of this problem.\n\n\n                                               22\n\x0c      Recommendation 13\n      We recommend that Kaiser research the extent of the system bug identified during the\n      processing of this test encounter, and implement the appropriate system modifications to\n      correct the problem.\n\n      Kaiser Response:\n      \xe2\x80\x9cThe Carrier has researched this issue and found that this \xe2\x80\x9cbug\xe2\x80\x9d only appears when one\n      of its source processing files is empty. This condition does not exist in normal production.\n      It was a problem the Carrier subsequently identified with the FEHBP audit test data run in\n      the test environment. The Carrier\xe2\x80\x99s current production validation process does account\n      for this issue; therefore, the Carrier has determined that no further action is required.\xe2\x80\x9d\n\n      OIG Reply:\n      As part of the audit resolution process, we recommend that Kaiser provide OPM\xe2\x80\x99s CRIS with\n      documentation supporting its position that this bug does not exist in the production\n      environment.\n\nG. Health Insurance Portability and Accountability Act\n   The OIG reviewed Kaiser\xe2\x80\x99s efforts to maintain compliance with the security, privacy and\n   national provider identifier standards of HIPAA. Nothing came to our attention that caused us to\n   believe that Kaiser is not in compliance with the various requirements of these HIPAA\n   regulations.\n\n   Kaiser has implemented a series of IT security policies and procedures to adequately address the\n   requirements of the HIPAA security rule. Kaiser has also developed a series of privacy policies\n   and procedures that directly addresses all requirements of the HIPAA privacy rule. The\n   documents related to the HIPAA privacy and security rules are readily available to all Kaiser\n   employees via the company\xe2\x80\x99s Intranet. Kaiser employees receive privacy and security related\n   training during new hire orientation, as well as periodic subsequent training as needed.\n\n   In addition, the OIG documented that Kaiser has adopted the national provider identifier as the\n   standard unique health identifier for health care providers, as required by HIPAA.\n\n\n\n\n                                                  23\n\x0c                    III. Major Contributors to This Report\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of Inspector\nGeneral, Information Systems Audits Group. The following individuals participated in the audit\nand the preparation of this report:\n\xe2\x80\xa2                  , Group Chief\n\xe2\x80\xa2                       , Senior Team Leader\n\xe2\x80\xa2                        Auditor-In-Charge\n\xe2\x80\xa2                         , IT Auditor\n\xe2\x80\xa2                    , IT Auditor\n\n\n\n\n                                               24\n\x0c                                      Appendix\n\n\n                                    March 13, 2009\n\n\n\nMr. [redacted]\nAuditor-in-Charge\nInformation Systems Audits Group\nU.S. Office of Personnel Management\nOffice of the Inspector General\n1900 E Street N.W., Room 6400\nWashington, D.C. 20415\n\n             Re:         Kaiser Foundation Health Plan, Inc. - Northern California\n                         Region\n                         Kaiser Foundation Health Plan, Inc. - Southern California\n                         Region\n                         Response to Draft of a Proposed Report 1C-59-00-09-002\n                         (January 12, 2009)\n\nDear Mr. [redacted]:\n\nThis letter responds to your correspondence of January 12, 2009, which enclosed a\nDraft of a Proposed Report (Draft Report) based on \xe2\x80\x9cthe audit of general and application\ncontrols over the information systems responsible for processing data related to Federal\nEmployees Health Benefits Program (FEHBP) members at the Northern and Southern\nCalifornia Regions of Kaiser Foundation Health Plan\xe2\x80\x9d (Carrier). Draft Report, p. 1. This\nresponse addresses the recommendations in the Draft Report. Where appropriate, it\nalso outlines the corrective actions that have been taken or will be taken by the Carrier\nbased on the recommendations.\n\nAs you requested, we are submitting copies of this document both electronically and in\nhard copy.\n\nSUMMARY OF DRAFT REPORT FINDINGS\n\nAs described in the Draft Report, OIG identified several opportunities for improvement\nand made thirteen (13) recommendations with regard to the information systems subject\nto audit. In brief, the Draft Report made findings and recommendations in the following\nareas:\n\n      1)    \xe2\x80\x9c[C]onduct periodic business impact analyses and risk assessments on its\n            information systems\xe2\x80\x9d in accordance with company policy and other\n            standards;\n      2)    Improve physical access controls in non-data center office buildings;\n\n\n                                            1\n\x0c       3) [redacted]\n       4) Limit access to network incident logs;\n       5) Periodically review active user logs for critical applications;\n       6) Implement technical controls on critical applications to automatically\n            disable inactive user accounts;\n       7) Update its corporate password policy and implement technical\n            controls on critical applications;\n       8) \xe2\x80\x9cDevelop and implement business continuity and disaster recovery\n            plans for all of its critical applications\xe2\x80\x9d;\n       9) \xe2\x80\x9cTest its disaster recovery plans at least annually\xe2\x80\x9d;\n       10) \xe2\x80\x9cImplement medical edits in its systems to evaluate the medical\n            appropriateness of all encounters that will be included in the FEHBP\n            rating calculation\xe2\x80\x9d;\n       11) \xe2\x80\x9cImplement the appropriate system modifications to ensure that non-\n            covered benefits are not included in the FEHBP rating calculation\xe2\x80\x9d;\n       12) \xe2\x80\x9cImplement the appropriate system modifications to ensure that the\n            FEHBP benefit structure (specifically, member copays) are\n            appropriately factored into the pricing of encounters\xe2\x80\x9d; and\n       13) \xe2\x80\x9cResearch the extent of the system bug identified during the\n            processing of this test encounter, and implement the appropriate\n            system modifications to correct the problem.\xe2\x80\x9d\n\nRESPONSE TO DRAFT REPORT FINDINGS\n\nThe Carrier generally applauds the many positive observations and findings in\nthe Draft Report, and views these as affirmation of the significant expenditures of\ntime, effort and resources that the Carrier has undertaken to develop, build, and\nsecure its information technology environment. In several instances, the Draft\nReport has helped the Carrier to identify opportunities to improve the programs,\nprocesses, systems and plans it already has in place.\n\nIn addition however, Carrier wishes to reiterate or identify additional facts which\nwe believe clarify or place in context a number of the findings in the Draft Report.\nWith regard to many of the opportunities for improvement identified in the Draft\nReport, the Carrier already has addressed or is in the process of implementing\nplans to address these opportunities and has provided additional details in the\ndiscussion below. The continued development and implementation of these\nprograms may depend on budgetary constraints. We would be pleased to\nprovide any additional information that would help satisfy the concerns noted in\nthe Draft Report.\n\n\n\n\n                                         2\n\x0cRecommendation 1 (A. Entity-Wide Security Program):\n\n   The Carrier believes that activities begun in 2008 are intended to\n   address HIPAA requirements by conducting periodic business impact\n   analyses and risk assessments on its information systems. These\n   address the implicit risks in Recommendation 1.\n\nWith regard to the Carrier\xe2\x80\x99s enterprise-wide security program, the Draft Report\nindicated that the Carrier was not adhering to its own policies regarding security\nrisk management and evaluation and business continuity management. Draft\nReport, p. 4. Based on these findings, the Draft Report recommended that the\nCarrier conduct periodic business impact analyses and risk assessments on its\ninformation systems.\n\nWhile the Carrier generally agrees with this finding of the Draft Report, the\nCarrier wishes to highlight the important programs in place to establish\ncompliance with its security risk and business continuity management policies\nand prevailing standards. These programs have already developed significant\nprocesses that fulfill the requirements of the security risk management and\nbusiness continuity management policies and, to the extent that gaps remain,\nthese programs have already developed plans to address them. Most of the\nprograms began in 2008. Because the Carrier believed the scope of the audit\nwas the 2007 Contract Year, the Carrier did not provide the auditors with\ndocuments related to activities that occurred after 2007.\n\n       1.     The Carrier\xe2\x80\x99s risk assessment program for HIPAA privacy and\n              security already conducts periodic risk assessments in\n              compliance with policy and prevailing standards.\n\nPrior to this audit, to ensure compliance with the risk assessment requirements of\nHIPAA, the Carrier conducted a privacy and security compliance risk\nassessment, developed a mitigation plan, and established a two year cycle for\nfuture risk assessments. Related documents are available for review upon\nrequest.\n\nIn 2008, the Kaiser Permanente National Privacy and Security Compliance Office\n(NPSCO) and the Regional Privacy and Security Officers (RPSOs) conducted a\nprivacy and security compliance risk assessment in accordance with the National\nCompliance security policy, Security Risk Management and Evaluation\nNATL.NCO.ISP.040. The scope of the risk assessment encompassed all eight\nregions and was based on the HIPAA privacy and security requirements. Kaiser\nPermanente\xe2\x80\x99s Information Security Office (ISO) purchased [redacted], the\nassessment tool, and provided technical support during the process.\n\n[redacted] assesses the level of privacy and security compliance and calculates\ninherent risk by adding the likelihood of risk to risk impact. An initial baseline of\n560 questions was identified in [redacted]. NPSCO and ISO filtered the 560\n\n\n                                          3\n\x0cquestions into 77 targeted questions based upon the HIPAA Privacy and Security\nRule and CMS audit interests.\n\nDuring the planning phase of the assessment process, RPSOs were designated\nas the regional subject matter experts and facilitators. NPSCO and the RPSOs\nmet on a weekly basis for most of 2008. During that time the following\nparameters were agreed upon:\n\n   \xef\x82\xb7   Use of the [redacted] tool to conduct the assessment and generate\n       findings\n   \xef\x82\xb7   Agreement on [redacted] questions and risk criteria\n   \xef\x82\xb7   Identification of senior leaders to sponsor the project and sign off on\n       findings and risk mitigation plans\n   \xef\x82\xb7   Identification of regional governance committees that would assess risk\n       and determine risk management decisions\n   \xef\x82\xb7   Definition of policy and procedure implementation\n   \xef\x82\xb7   Agreement to target critical and high risks for mitigation\n\nThe assessment was conducted and mitigation plans were developed in 2008.\nMitigation plans will be measured and reported in 2009 on a quarterly basis.\n\nNPSCO and RPSOs have agreed upon a two year cycle for privacy and security\ncompliance risk assessments. Planning is already underway for the\nimplementation of the 2010 risk assessment. The Carrier is focusing on:\n\n   \xef\x82\xb7   Scope\n   \xef\x82\xb7   Methodology and tools\n   \xef\x82\xb7   Updating communication, training, documentation, and mitigation tools\n   \xef\x82\xb7   Timelines\n\nRecommendation 2 (B. Access Controls; 1. Physical Access Controls):\n\n   While the Carrier has implemented numerous physical access controls\n   at its [redacted] facilities, the Carrier plans to further improve its access\n   controls at these facilities to fully address the localized items noted in\n   Recommendation 2.\n\nWith regard to physical access controls, the Draft Report found that visitors to\none building in [redacted] were not required to show photo identification or to\nhave an escort, and that the access card reader to a conference room had been\ndisabled. It also found that in one building in [redacted], although visitors must\nsign in, they do not need an escort, and \xe2\x80\x9cthis building does not contain any\ninternal access card readers or other mechanisms to prevent unauthorized\naccess to various work spaces.\xe2\x80\x9d Draft Report, p. 4. Based on these findings, the\nDraft Report recommended that the Carrier improve its physical access controls\nat these facilities.\n\n\n\n                                        4\n\x0cWhile the Carrier generally agrees with the Draft Report, it notes that significant\npositive security practices are already in place in these facilities in [redacted].\nThese practices, and the plans to improve them, are described more fully below.\nIn addition, the [redacted] facility contains internal access card readers that\nprotect critical areas, and, with regard to the card reader on the conference room\nin [redacted], the Carrier confirmed with building security that this reader had\nbeen intentionally deactivated.\n\n       1.     Although the Carrier\xe2\x80\x99s program of physical access already\n              provides physical access controls equal to those in similar\n              facilities, the Carrier plans to further reinforce its current\n              security protocols.\n\nLike the majority of office buildings nation-wide, the physical security program for\nthe buildings in [redacted] is intended to provide ready access to spaces within\nthe building by authorized personnel and visitors. Positive surveillance practices\nare employed to screen and filter criminal opportunists. Employees are directed\nto immediately report suspicious activities to security. The program is also\nintegrated with, and reliant upon, other security measures to manage the overall\nrisks presented to the Carrier by access of unauthorized persons (e.g.\nmechanical locks, card key secured access, staffed reception areas, physical\ndevice security measures, network security protocols, etc.). In some instances,\nsuch as the [redacted] building, facilities are leased and operated by various\nlandlords and/or property management firms. For these facilities, the owner\nand/or their representatives have implemented what they believe to be\nappropriate and reasonable office building protective requirements for their\npremises.\n\nAt the time of the finding, the conference room utilized by the auditors was open\nfor general use; the card reader\xe2\x80\x99s operation was intentionally suspended. The\ncard reader is activated whenever limited access is requested by the tenant.\n\nConsidering the above, the Carrier does not believe significant physical\nmodifications to these facilities and/or major deployment of additional security\ntechnologies are warranted at this time. However, the findings do recognize\nopportunities to reinforce current physical security protocols. Accordingly,\nsubject to budgetary constraints, the Carrier plans to take the following actions:\n\n   1. It will reinforce the current visitor authorization program through staff\n      training and written communication. Visitors to these buildings will be\n      required to show government issued picture ID. Target implementation\n      date: 3rd Quarter 2009.\n\n   2. Where not already in place, arrangements will be made [redacted] Target\n      implementation date: 3rd Quarter 2009.\n\n\n\n\n                                         5\n\x0c   3. Signage in the lobbies of the buildings noted in the audit will be reviewed\n      to ensure that visitors are aware of these requirements immediately upon\n      entering the building. Target implementation date: 3rd Quarter 2009.\n\n   4. Approximately [redacted] of the [redacted] building is secured during\n      normal business hours to protect critical or confidential functions. Access\n      to these secured spaces requires an access code or separate access\n      cards. Plans are underway to expand this secured space to a total of\n      approximately[redacted]. Target implementation date: March 2010.\n\n   5. A pilot project that involves [redacted] is underway in [redacted] buildings.\n      Technology costs for this program are estimated at between $5,000 and\n      $10,000 per installation. The pilot will be evaluated at the end of the 2nd\n      Quarter of 2009 and, if deemed successful, capital funds will be requested\n      from the regions to expand implementation. Target implementation date:\n      December 2009.\n\n[redacted]\n\nRecommendation 4 (B. Access Controls; 3. Security of Network Incident\nLogs):\n\n   Recommendation 4 concerning the Carrier\xe2\x80\x99s network incident logs did\n   not take into account an important function of its logs which would\n   prevent IT internal clients and staff from accessing important\n   information regarding priority incidents.\n\nWith regard to security of network incident logs, the Draft Report raised concerns\naround the Carrier\xe2\x80\x99s practice of communicating specific details of incidents via an\nIntranet website known as the [redacted] which currently is accessible by anyone\nwith access to [redacted]. It recommended that the Carrier Limit access to the\n[redacted] to employees whose job function requires access for the information\nor general status. Draft Report, pp. 7-8.\n\nThis recommendation does not take into account that the [redacted] was\nspecifically put in place to provide client transparency to real time incidents in\nprogress, and for the Carrier\xe2\x80\x99s service desk to see a consolidated view of only\nhigh and critical incidents to provide quick real time status and service direction.\nThe [redacted] currently averages close to [redacted] to the site Monday to\nFriday, and is used widely by clients and IT staff for information on High and\nCritical Incidents in progress. Because the Draft Report did not note this\nimportant function of the [redacted], its recommendation in this regard would\nsignificantly limit the utility and purpose of the [redacted].\n\nThe Carrier intends to adjust its [redacted] to address these concerns. Within\nthirty (30) days of the Final Report, the Carrier will initiate the process to remove\ncertain links from the [redacted]. This will eliminate wide access to potentially\n\n\n\n                                          6\n\x0csensitive infrastructure data and eliminate access to impact data and bridge call\nstatus.\n\nThe Carrier believes this adjustment will generate additional status calls to the\nHelp Desk. It will test to ensure the effectiveness of the adjustment. This\nprocess is expected to take at least thirty (30) days to implement.\n\nRecommendation 5 (B. Access Controls; 4. Periodic Management Review\nof Active User Accounts):\n\n   With regard to Recommendation 5, the Carrier is developing an access\n   review process for the application identified in the Draft Report.\n\nWith regard to periodic management review of active user accounts, the Draft\nReport found [redacted] It recommended that the Carrier implement periodic\nreviews of active user accounts for critical applications to verify that only active\nemployees whose jobs require them to access an application actually have\naccess. Draft Report, pp. 8-9.\n\nIn response to this concern, by the end of the Second Quarter of 2009, the\ndesignated business contact will work with the [redacted] administrators to\ndevelop an access review process, which will include a quarterly review of\nstaffing changes.\n\nRecommendation 6 (B. Access Controls; 5. Disabling Inactive User\nAccounts):\n\n   The application containing the exception referenced in\n   Recommendation 6 contains architectural elements which preclude\n   utilization of similar auto-disable capabilities used on other applications\n   noted in the Draft Report. The Carrier believes the manual controls\n   implemented on this application adequately address access risks.\n\nWith regard to disabling inactive user accounts, the Draft Report reviewed the\nuser access controls for six applications used to process data relevant to the\nFEHBP line of business. Although it found that the Carrier has in place \xe2\x80\x9ca variety\nof controls to ensure that user accounts are automatically disabled after a period\nof inactivity,\xe2\x80\x9d one system had manual controls to disable inactive user accounts,\nbut had no automatic controls in place. The Draft Report recommended that the\nCarrier implement automatic controls to disable accounts on this application after\na period of inactivity. Draft Report, p. 9.\n\nThe design of the application noted in Recommendation 6 is based on multiple\n\xe2\x80\x9cinstances\xe2\x80\x9d which make truly automated disabling of access substantially more\ncomplex than the five [redacted] applications which did not contain exceptions.\n\n\n\n\n                                          7\n\x0cBecause of these limitations on the automatic setting, the user security and\nprocessing team manually processes deactivation for non-use by extracting last\nlogin dates for all instances and specifically setting the account status to inactive\non all instances, which fully deactivates the account, per the regional access\ntermination documentation provided during the audit.\n\nRecommendation 7 (B. Access Controls; 6. Password Controls):\n\n   The Carrier updated its password policy in 2008 based on balancing\n   industry best practices against the risks and needs of its associates,\n   which include care delivery personnel. As such, the Carrier believes\n   sufficient password controls are in place.\n\nThe Draft Report indicated that while five out of six of the applications reviewed\nhave adequate password controls, it believed that three separate password\nsettings on the remaining system could be improved. The Draft Report\nrecommended that the Carrier change these three settings. Draft Report, pp. 9-\n10.\n\nIn 2008, the Carrier implemented a new enterprise password policy based on\nbalancing existing policies, current industry best-practices, and the various risks\nand needs of its associates, which include care delivery personnel. The required\npassword length was increased, and passwords were also forced to be made\nmore complex.\n\nWith these more stringent standards in place, the Carrier\xe2\x80\x99s decision to remove\nthis control was made following a comprehensive analysis of the value of that\ncontrol versus operational needs, particularly the needs of its care delivery\npersonnel. It was determined that, given stronger rules for password complexity,\nthe net effect would be equal security with less impact for the users.\n\nIn light of these considerations, and the stringent controls already in place, the\nCarrier believes sufficient password controls are in place.\n\nRecommendations 8 and 9 (E. Business Continuity):\n\n   The Carrier will continue efforts already underway to address the\n   disaster recovery and business continuity risks included in\n   Recommendations 8 and 9.\n\nWith regard to disaster recovery and business continuity management, the Draft\nReport noted that the Carrier has built a disaster recovery organization with a\ntimeline for completing and testing disaster recovery plans for critical\napplications. It asserted that \xe2\x80\x9cthe disaster recovery plans are incomplete\xe2\x80\x9d and\nthat no \xe2\x80\x9cfull scope disaster recovery test has yet to be conducted.\xe2\x80\x9d Draft Report,\np. 11. It recommended that the Carrier \xe2\x80\x9cdevelop and implement business\n\n\n\n                                          8\n\x0ccontinuity and disaster recover plans for all of its critical applications\xe2\x80\x9d and test\nthese plans at least annually. Draft Report, p. 12.\n\nThe Carrier has made considerable investments in disaster recovery and\nbusiness continuity, and has made significant strides in advancing its\nimplementation and testing capability. For instance, the recent acquisition and\nintegration of the new data center (NDC) required an enormous commitment of\nresources, represented great progress in the Carrier\xe2\x80\x99s disaster recovery and\nbusiness continuity implementation efforts, and went a long way to ensuring the\nviability of critical systems in the event of a disaster.\n\nAs these and other efforts reflect, the Carrier understands the importance of\ndisaster recovery and business continuity management, and is committed to\ncompleting the implementation of its programs within the timelines it has set for\nitself.\n\n       1.     To augment the progress already made, the Carrier is\n              supplementing its disaster recovery program for its mainframe\n              applications.\n\nPrior to the audit, the Carrier had reviewed and begun to revamp its Disaster\nRecovery program. As part of this effort, the entire suite of applications was\nreviewed to determine those that provide mission critical functionality to the\norganization. For those applications deemed in scope for the new program,\ndisaster recovery requirements were gathered to determine how quickly various\napplications need to be available. [redacted]\n\nThe Carrier has also put in place plans to remediate the rest of the application\nsuite starting with the [redacted] applications running in WCDC. [redacted]\n\n\n\nIn addition, as part of its plan to further improve its disaster recovery\nenvironment, the Carrier is creating and implementing a National Disaster\nRecovery policy along with an implementation plan by year end (2009) to\naddress the recovery of [redacted] applications not addressed in the current\ndisaster recovery program. This policy and plan will supplement existing efforts\nby addressing the recovery of [redacted] applications not covered in the current\ndisaster recovery program. The implementation plan will contain a complete\ntimeline and ensure that recovery plans align with business defined objectives.\nThese objectives correspond to the Disaster Recovery (DR) Class of Service that\nappears on Table 1 below.\n\nAs an interim step, by year end 2009, the Carrier will select the DR Class of\nService 1 [redacted], provide up-to-date DR plans for them and test them\n[redacted] The implementation plan to be provided with the national policy will\ninclude the roadmap to [redacted] provide recovery appropriate to the DR Class\nof Service assigned.\n\n\n                                           9\n\x0cBecause of the size of the current portfolio of applications, it is not feasible for the\nCarrier to test all of these annually. However, the Carrier expects to test all DR\nClass of Service 1 and 2 applications annually after they are migrated to the new\nnational policy requirements. Lower classes of service will be tested on a less\nfrequent basis. Testing criteria will be outlined in the national policy being\ndeveloped.\n\nThe following chart (Table 1) shows the recovery time objectives, recovery point\nobjectives, and recovery method for each DR Class of Service:\n\n   Cla ss of       Recovery Time                                                Recovery\n                                            Recovery Point Objective\n   Service           Objective                                                   Method\n      0*               0 hours                         0 hours                Continuous Availability\n       1              \xe2\x89\xa44 hours                        \xe2\x89\xa4 2 hours\n       2             \xe2\x89\xa424 hours                        \xe2\x89\xa4 8 hours                Advanced Recovery\n       3             \xe2\x89\xa472 hours                       \xe2\x89\xa4 48 hours\n       4              \xe2\x89\xa41 week                        \xe2\x89\xa4 72 hours\n       5             \xe2\x89\xa42 weeks               La st Sa fe Offsite Ba c kup        Standard Revocery\n       6             \xe2\x89\xa41 m onth              La st Sa fe Offsite Ba c kup\n       7             Best Effort                     Best Effort\n       8            No rec overy                   No Rec overy                    No Recovery\n\nTable 1.\n\n[redacted] This will be outlined in the implementation timeline that supports the\nadoption of the new national policy on disaster recovery.\n\n       2.      The Carrier is also supplementing its current business\n               continuity efforts in the departments reviewed in the audit.\n\nThe rating workflow process utilizes applications on the Carrier\xe2\x80\x99s standard data\nstorage and computers and therefore, will rely on the Carrier\xe2\x80\x99s overall IT disaster\nrecovery plans. To supplement these plans, by the end of the Second Quarter\n2009, the unit that supports these applications will document a business\ncontinuity plan to be triggered in the event of a disaster. The plan will cover:\n\n       1) A command center with a list of contact and telephone numbers in\n          order of management hierarchy;\n       2) Staff procedures to be followed; and\n       3) A formal communication plan.\n\nRecommendations 10 and 11 (F. Application Controls; 1. Medical Edits for\nProfessional Encounters, and 2. Non-covered Benefit):\n\n   With regard to the medical edits of professional encounters\n   (Recommendation 10) and processing of non-covered\n   services (Recommendation 11), the Carrier already has in\n\n\n\n                                          10\n\x0c   place several levels of controls to prevent errors, and already\n   had plans to further supplement these efforts.\n\nThe Draft Report found that, although the Carrier uses \xe2\x80\x9ca third party software\npackage\xe2\x80\x9d to perform medical edits of internal hospital encounters, it does not use\nsimilar controls for its internal professional encounters. Draft Report, p. 14. It\nrecommended that the Carrier modify its systems to implement these edits for\ninternal professional encounters. Draft Report, p. 14.\n\nIn addition, the Draft Report found that, in the test environment, it was possible to\nprocess two internal encounters for non-covered services, with the cost of these\nservices passed into the FEHBP\xe2\x80\x99s rates. It recommended that the Carrier\nimplement \xe2\x80\x9cappropriate system modifications\xe2\x80\x9d to ensure that internal services not\ncovered by FEHBP did not pass into the FEHBP\xe2\x80\x99s rates. Draft Report, p. 14.\n\nHowever, the Carrier\xe2\x80\x99s internal delivery operations and its system are already\ndesigned to minimize risk and have established controls over how professional\nencounters are documented and captured. The nature of the Carrier\xe2\x80\x99s physician\nworkflow and system functionality minimizes the risk of erroneous coding existing\nin the rating system data. As described during the onsite testing, because of the\nCarrier\xe2\x80\x99s unique arrangement with its contracted medical groups, individual\nphysicians derive no direct financial benefit from the way a particular encounter is\ncoded. In addition, three tools are built into the Carrier\xe2\x80\x99s clinical delivery\napplication to drive a high level of consistency and accuracy:\n\n       1) [redacted] that suggest to the provider appropriate diagnoses and\n          procedures for their specialty;\n       2) A decision tree based tool [redacted] that presents appropriate\n          procedures based on the chief complaint from the patient; and\n       3) Best practice help guides or [redacted] for ordering appropriate\n          procedures based on the patient\'s condition.\n\nAs with covered procedures, individual physicians have no direct financial\nincentive to inappropriately code services they provide. Although the existing\nrating data does not check benefit eligibility at a fine level of detail, benefit\nclasses such as [redacted] are excluded in the rating data through benefit\nverification and exclusion logic in the rating data preparation and load process.\n\n[redacted]\n\nTo test the extent to which erroneous coding and non-covered services exist in\nthe Carrier\xe2\x80\x99s rating data, it reviewed claims data for the existence of those\nconditions tested during the auditors\xe2\x80\x99 on-site visit. The Carrier tested twelve (12)\nmonths of data (10/2007 - 9/2008) for a representative sample of our largest\ncommercial customers, representing 14,450,107 member months. These tests\nrevealed no (0) cases of a [redacted] performed on a [redacted]; no (0) cases of\n[redacted] in the same encounter; only three (3) cases of [redacted]during a\n\n\n                                         11\n\x0c[redacted]; and no (0) cases of[redacted]in the [redacted] department. In\naddition, it tested twelve (12) months of paid claims data (10/2007 - 9/2008) for\nall members of the FEHBP, representing 2,147,696 member months, and found\nonly 26 incidences of [redacted]\n\nThis review of actual data indicates that the prevalence of these situations and\nthe associated costs are negligible. The few erroneous codes that appear in the\ndata are statistically insignificant and do not affect a group\xe2\x80\x99s premium rate\noutcome. As part of its regular data validation process, the Carrier will monitor\nthe data for these specific irregularities and if the results should change, it will\ndetermine if adjustments are necessary. [redacted]\n\nGiven the extremely low prevalence of these particular conditions in the existing\ndata, the Carrier has determined that it is cost prohibitive to invest capital on any\nother interim solutions prior to [redacted]. Based on economic conditions, these\nplans may be subject to change.\n\nRecommendation 12 (F. Application Controls; 3. Emergency Room to\nHospital Transfers):\n\n   Recommendation 12 concerning emergency room transfers\n   correctly identified a situation in which the Carrier was\n   undervaluing the cost of covered services provided to FEHBP\n   members.\n\nThe Draft Report found that Carrier\xe2\x80\x99s pricing system inadvertently undervalued by\n$50 the price assigned to services provided when an FEHBP member was\ntransferred from the emergency room to the hospital. It recommended that the\nCarrier modify its systems to correct this issue. Draft Report, p. 15.\n\nThe Carrier understands that this situation may have resulted in a negligible\nundercharge to the FEHBP, and appreciates the opportunity to adjust its\nsystems. Development of the detailed requirements is currently in process.\nSystem modifications are targeted to be developed, tested and in production by\nDecember 31, 2009.\n\nRecommendation 13 (F. Application Controls; 4. Pricing of Hospital\nProfessional Services and Room and Board):\n\n   Recommendation 13, concerning the pricing of internal\n   professional services and room and board, reflected a system\n   error that existed only in the test environment.\n\nIn testing the Carrier\xe2\x80\x99s controls for age/procedure inconsistency, the Draft Report\nacknowledged that a system \xe2\x80\x9cbug\xe2\x80\x9d caused the system to automatically re-classify\na procedure as a non-covered service, inaccurately charge the member for room\n\n\n                                         12\n\x0cand board, inaccurately price the non-covered procedure, and pass it to the\nFEHBP rating. The Draft Report recommended further research on this issue.\nDraft Report, p. 15.\n\nThe Carrier has researched this issue and found that this \xe2\x80\x9cbug\xe2\x80\x9d only appears\nwhen one of its source processing files is empty. This condition does not exist in\nnormal production. It was a problem the Carrier subsequently identified with the\nFEHBP audit test data run in the test environment. The Carrier\xe2\x80\x99s current\nproduction validation process does account for this issue; therefore, the Carrier\nhas determined that no further action is required.\n\n  III. CONCLUSION\nWe appreciate this opportunity to respond to the Draft Report, and urge OPM to\ngive due consideration to the information provided in this letter.\n\nThis response contains commercial and financial information that is proprietary\nand confidential to the Carrier. Disclosure of this information would cause\nsubstantial harm to the Carrier\xe2\x80\x99s competitive position. OPM is requested to treat\nthis document as confidential. This material is exempt from disclosure under\nSection 552(b)(4) of Title 5 of the United States Code.\n\nPlease do not hesitate to contact me if you have any questions or need any\nadditional information. You can reach me at [redacted]. Thank you.\n\n                                         Sincerely,\n\n\n\n\n                                         [redacted]\n                                                Vice President, FEHBP Line of\nBusiness\ncc: [redacted]\n     Chief, Insurance Group III\n     OPM Insurance Program Services\n\n\n\n\n                                        13\n\x0c'